Re: hard limits?

As noted, clearly I was doing it wrong: $ sudo firewall-cmd --permanent --new-ipset=blacklist --type=hash:ip --option=maxelem:131072 should be: $ sudo firewall-cmd --permanent --new-ipset=blacklist --type=hash:ip --option=maxelem=131072 "=" not ";". That corrected my syntax issue. I was still running into the maxelem limit. My blacklist is a mix of IPs and networks. Doing a broader search, I ran across a post at centos forums (https://www.centos.org/forums/viewtopic.php?t=8268). The gist being hash:ip seems to expand networks (like 192.168.1.0/24) into all the addresses in the network. hash:net is much more efficient for networks. So I now have a blacklist-ip list and blacklist-net list (one hash:ip, one hash:net). That seems to have solved my dilemma. -David